You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think the user activation requirement might be problematic or even a blocker for the ad-fraud detection use-case, where user interaction with captchas is not usually possible.
The risk here seems to be low, and the activation defense will might not be a problem for an attacker (that can just ask you to click, or wait you to click or something). Other options to mitigate this might requiring caching redemption tokens, rate limiting redemptions, or removing the private bit option (all have their own problems).
Is it possible to restrict the issuer to set the same bit/bits on all tokens in the batch to mitigate data transfer?
Do you think randomizing token redemption order might mitigate this attack? (transform data transfer from #tokens bits to log(#tokens) bits? Also the browser can randomly delete tokens to reduce the amount of information.
Regarding the sentence: "At redemption, we can slow down the rate of redemption by returning cached Redemption Records when an issuer attempts too many refreshes" - is there a requirement for minimal caching time? How it is a mitigation if not?
In addition, I'm interested if current Chrome currently implements or intend to implement this activation requirement - I haven't find it in the design document. Do you have more information about this?
What do you think?
Thanks!
The text was updated successfully, but these errors were encountered:
Hello,
I think the user activation requirement might be problematic or even a blocker for the ad-fraud detection use-case, where user interaction with captchas is not usually possible.
The risk here seems to be low, and the activation defense will might not be a problem for an attacker (that can just ask you to click, or wait you to click or something). Other options to mitigate this might requiring caching redemption tokens, rate limiting redemptions, or removing the private bit option (all have their own problems).
Is it possible to restrict the issuer to set the same bit/bits on all tokens in the batch to mitigate data transfer?
Do you think randomizing token redemption order might mitigate this attack? (transform data transfer from #tokens bits to log(#tokens) bits? Also the browser can randomly delete tokens to reduce the amount of information.
Regarding the sentence: "At redemption, we can slow down the rate of redemption by returning cached Redemption Records when an issuer attempts too many refreshes" - is there a requirement for minimal caching time? How it is a mitigation if not?
In addition, I'm interested if current Chrome currently implements or intend to implement this activation requirement - I haven't find it in the design document. Do you have more information about this?
What do you think?
Thanks!
The text was updated successfully, but these errors were encountered: